exploit

package
v1.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 23, 2026 License: MIT Imports: 14 Imported by: 0

Documentation

Overview

Package exploit verifies known Swagger-UI client-side vulnerabilities (configUrl/url DOM XSS, spec-driven HTML injection) using a headless browser for high-accuracy confirmation. This module is OPT-IN and gated by the CLI: it only runs against targets the operator explicitly authorizes.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Engine

type Engine struct {
	// contains filtered or unexported fields
}

Engine confirms client-side vulns with a shared headless browser + PoC server.

func New

func New(screenshotDir string) (*Engine, error)

New starts the built-in CORS-permissive PoC server and a headless allocator.

func (*Engine) Close

func (e *Engine) Close()

Close shuts down the browser allocator and PoC server.

func (*Engine) PayloadURL

func (e *Engine) PayloadURL() string

PayloadURL returns the built-in PoC spec URL (used when no custom payload set).

func (*Engine) Test

func (e *Engine) Test(ctx context.Context, targetURL, param, payloadURL, cve, marker string, screenshot bool) Finding

Test loads targetURL with payloadURL injected via param, and confirms exploitation in a headless browser. Confirmation signals, in order of strength:

  • a JavaScript dialog fired (alert/confirm/prompt) -> script executed -> dom-xss
  • the built-in PoC markers (window flag / title / element) -> dom-xss / html-injection
  • a caller-supplied marker string found in the DOM or console

CORS-blocked spec fetches are reported distinctly so they aren't false negatives.

type Finding

type Finding struct {
	TargetURL   string   `json:"target_url"`
	TestedURL   string   `json:"tested_url"`
	Param       string   `json:"param"`
	PayloadURL  string   `json:"payload_url"`
	Vulnerable  bool     `json:"vulnerable"`
	Type        string   `json:"type,omitempty"`   // "dom-xss" | "html-injection"
	Signal      string   `json:"signal,omitempty"` // how it was confirmed
	Evidence    string   `json:"evidence,omitempty"`
	CVE         string   `json:"cve,omitempty"`
	UILoaded    bool     `json:"ui_loaded"`
	CORSBlocked bool     `json:"cors_blocked"`
	Console     []string `json:"console,omitempty"`
}

Finding describes a confirmed (or attempted) exploitation result.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL